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Abstract 

We provide an extensive study of the differential properties of the 
functions x H> x 2 _1 over F 2 «, for 1 < t < n. We notably show that the 
differential spectra of these functions are determined by the number of 
roots of the linear polynomials x 2 + bx 2 + (b + l)x where b varies in 
F2" We prove a strong relationship between the differential spectra of 
x 1— > x 2 _1 and x^i 2 _1 for s = n — t + 1. As a direct consequence, 
this result enlightens a connection between the differential properties 
of the cube function and of the inverse function. We also determine the 
complete differential spectra of x i-> x 7 by means of the value of some 
Kloosterman sums, and of x n- x 2 _1 for t £ { [n/2\ , \n/2] + 1, n — 2}. 

Keywords. Differential cryptanalysis, block cipher, S-box, power function, 
monomial, differential uniformity, APN function, permutation, linear poly- 
nomial, Kloosterman sum, cyclic codes. 

1 Introduction 

Differential cryptanalysis is the first statistical attack proposed for break- 
ing iterated block ciphers. Its publication 0] then gave rise to numerous 
works which investigate the security offered by different types of functions 
regarding differential attacks. This security is quantified by the so-called 
differential uniformity of the Substitution box used in the cipher [22] . Most 
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notably, finding appropriate S-boxes which guarantee that the cipher using 
them resist differential attacks is a major topic for the last twenty years, see 

e.g. [m ng El El E]. 

Power functions, i.e., monomial functions, form a class of suitable can- 
didates since they usually have a lower implementation cost in hardware. 
Also, their particular algebraic structure makes the determination of their 
differential properties easier. However, there are only a few power functions 
for which we can prove that they have a low differential uniformity. Up to 
equivalence, there are two large families of such functions: a subclass of the 
quadratic power functions (a.k.a. Gold functions) and a subclass of the so- 
called Kasami functions. Both of these families contain some permutations 
which are APN over ¥2^ for odd n and differentially 4-uniform for even n. 
The other known power functions with a low differential uniformity corre- 
spond to "sporadic" cases in the sense that the corresponding exponents 
vary with n [T7j and they do not belong to a large class: they correspond to 
the exponents defined by Welch HI ED], by Niho [HI EH], by Dobbertin [15] . 
by Bracken and Leander [7], and to the inverse function |21j . It is worth 
noticing that some of these functions seem to have different structures be- 
cause they do not share the same differential spectrum. For instance, for a 
quadratic power function or a Kasami function, the differential spectrum has 
only two values, i.e., the number of occurrences of each differential belongs 
to {0,5} for some 5 [5]. The inverse function has a very different behavior 
since its differential spectrum has three values, namely 0, 2 and 4 and, for 
each input difference, there is exactly one differential which is satisfied four 
times. 

However, when classifying all functions with a low differential uniformity, 
it can be noticed that the family of all power functions x 1— > x 2 _1 over 
F2«, with 1 < t < n, contains several functions with a low differential 
uniformity. Most notably, it includes the cube function and the inverse 
function, and also x 1— > x 2> ' n+1)/2 ~ 1 for n odd, which is the inverse of a 
quadratic function. At a first glance, this family of exponents may be of 
very small relevance because the involved functions have distinct differential 
spectra. Then, they are expected to have distinct structures. For this reason, 
one of the motivations of our study was to determine whether some link could 
be established between the differential properties of the cube function and 
of the inverse function. Our work then answers positively to this question 
since it exhibits a general relationship between the differential spectra of 
x i — y x 2 '" 1 and x t— > x 2 " 4+1-1 over ¥2^. We also determine the complete 
differential spectra of some other exponents in this family. 

The rest of the paper is organized as follows. Section [2] recalls some defi- 
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nitions and some general properties of the differential spectrum of monomial 
functions. Section [3] then focuses on the differential spectra of the monomi- 
als x i — y x 2 . First, the differential spectrum of any such function is shown 
to be determined by the number of roots of a family of linear polynomials. 
Then, we exhibit a symmetry property for the exponents in this family: it 
is proved that the differential spectra of x 1-4 x 2 ' -1 and x i— > x 2 ™ + —1 over 
are closely related. In Section [5l we determine the whole differential 
spectrum of x 1-4 x 7 over F 2 ™. It is expressed by means of some Kloost- 
erman sums, and explicitly computed using the work of Carlitz j!2j . We 
then derive the differential spectra of x H > x 2 ™ _1 . Further, we study the 
functions x i— > x 2L " /2J_1 and x i— > x 2r ™ / ' 21+1_1 . We finally end up with some 
conclusions. 



2 Preliminaries 

2.1 Functions over F 2 ™ and their derivatives 

Any function F from F2n into F2™ can be expressed as a univariate poly- 
nomial in F2npT]. The univariate degree of the polynomial F is, as usual, 
the maximal integer value of its exponents. The algebraic degree of F is the 
maximal Hamming weight of its exponents: 

(2 n -i \ 
AjJP J = max {wt{i) \ \ ^ }, 

where Aj € F 2 n and the Hamming weight is calculated as follows : 

n— 1 n—1 

z = ij2 J with 6 {0, 1}, wt{i) = ^ ij. 
j=a j=o 

In this paper, we will identify a polynomial of F 2 ™[X] with the correspond- 
ing function over F 2 n. For instance, F € F 2 n[X] is called a permutation 
polynomial of F 2 ™ if the function x 1-4 -F(x) is a permutation of F 2 n. 

Boolean functions are also involved in this paper and are generally of 
the form 

x £ F 2 n 1-4 Tr(P(x)) E F 2 , 

where P is any function from ¥2" into ¥2^ and where Tr denotes the absolute 
trace on F 2 ™, i.e., 

Tr(J3) = /3 + /3 2 + --. + /3 2n " 1 , e F 2 «. 
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In the whole paper, #E denotes the cardinality of any set E. 

The resistance of a cipher to differential attacks and to its variants is 
quantified by some properties of the derivatives of its S(ubstitution)-box, in 
the sense of the following definition. It is worth noticing that this definition 
is general: it deals with functions from into F2^ for any m > 1. 

Definition 1 Let F be a function from F2™ into ¥ 2 m . For any a G F 2 ™ , the 
derivative of F with respect to a is the function D a F from ¥2^ into ¥2™ 
defined by 

D a F(x) = F(x + a) + F(x), G F 2 ». 

The resistance to differential cryptanalysis is related to the following quan- 
tities, introduced by Nyberg and Knudsen \22\ I21j. 

Definition 2 Let F be a function from ¥2" into ¥2" ■ For any a and b in 

F2« , we denote 

5(a,b) = #{xeF 2n , D a F(x) = b}. 
Then, the differential uniformity of F is 

6(F) = max 5(a, b). 

Those functions for which 5(F) = 2 are said to be almost perfect nonlinear 
(APN). 

2.2 Differential spectrum of power functions 

In this paper, we focus on the case where the S-box is a power function, i.e., 
a monomial function on ¥2^- In other words, F(x) = x d over F2", which 
will be denoted by Fd when necessary. In the case of such a power function, 
the differential properties can be analyzed more easily since, for any nonzero 
a G F2« , the equation (x + a) d + x d = b can be written 



a "a + 1 ) + (a) 1=6 < 



implying that 

S(a,b) = 5(l,b/a d ) for all a^O. 

Then, when F : x 1— >■ x d is a monomial function, the differential characteris- 
tics of F are determined by the values 5(1, b), b G ¥2^- From now on, this 
quantity 5(1, b) is denoted by 5(b). Since 

G F 2 n \5(a, b) =i} = G F 2 n \5(b) = i} Va + 0, 

the differential spectrum of F can be defined as follows. 
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Definition 3 Let F(x) = x d be a power function on ¥2". We denote by Ui 
the number of output differences b that occur i times: 

COi = #{b£¥ 2 n\5(b) = i}. (1) 

The differential spectrum of is the set of uji: 

§ = {o; ,o;2, ...,u;s(F)}. 

With same notation, we have the following equalities. They are well-known 
but we indicate the proof for clarity. 

Lemma 1 

^2uj k = 2 n and ^(k xu k ) = 2 n , 

k=0 k=2 

where uj-i = for i odd. 



Proof. The first equality is obviously deduced from (JTJ). And, for k > 0, 
k x equals the number of x € ¥2™ such that 

x d + (x + l) d = b and 5(b) = k 

for some b. Thus, any x is counted in the second sum. o 

Remark 1 The differential spectrum of the power function F(x) = x d over 
is also related to the weight enumerator of the cyclic code of length (2 n — 
1) with defining set {1, s} JZ2F- In particular, the number of codewords with 
Hamming weight 3 and 4 in this cyclic code can be derived from the differ- 
ential spectrum of F (see e.g. Corollary 1 in J5j/,). 

A power function F is said to be differentially 2-valued if and only if for 
any b € ¥ 2 ™, we have 5(b) G {0, k} (and then only two u>i in S do not vanish). 
It is known that k = 2 r for some r > 1 (see an extensive study in [5j Section 
5]). Note that APN functions are differentially 2-valued with k = 2. 

There are some basic transformations which preserve §. 

Lemma 2 Let Fd(x) = x d and F e (x) = x e over ¥ 2 n. If there exists k such 
that e = 2 k d mod 2 n — 1 or if ed = 1 mod 2 n — 1, then F e has the same 
differential spectrum as F^. 
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2.3 General properties on the differential spectrum 

In this section, F d (x) = x d and notation is as in Section [2.21 Studying 8(b) 
for special values of b may give us as least a lower bound on 8(F d ). So we 
first focus on 5(0). 

Lemma 3 Let d be such that gcd((f, 2 n — 1) = s. Then F d : x i— > x d is such 
that 5(0) = s — 1. In particular s = 1 if and only if 5(0) = 0. 

Proof. Note that s = 1 if and only if Fj is a permutation. Obviously, x is 
a solution of x d + (x + l) d = if and only if 

I I = 1 that is x + 1 = xz with z — 1, 

V x y 

since x h- > (x + l)/x is a permutation over F2™ \ {0, 1}. As there are exactly 
s — 1 such nonzero z, the proof is completed. o 

There is an immediate consequence of Lemma [3] for specific values of d. 

Proposition 1 Let d > 3 such that d divides 2 n — 1. T/ien <5(-Fd) = 5(0) = 
d-1. 

In particular, ifd = 2 t — l with gcd(t, n) = t then 6 (Fa) = 5(0) = 2* — 2. 

Proof. Since gcd(d, 2 n — 1) = d, 5(0) = d — 1 from Lemma [3l But the 
polynomial x d + (x + l) d + b has degree d — 1 for any b, so that 5(b) < d — 1. 
We conclude that 5(F d ) = d - 1. 

Now, let d = 2* - 1 with gcd(t,n) = t. Then gcd(d,2 n - 1) = 2* - 1 so 
that 5(0) = 2* — 2. As previously we conclude that 8 (Fa) = 2* — 2. o 

Example 1 If d = 3 then 8(Fd) = 5(0) = 2 for any even n. 
Ifd = 5 then 5(F d ) = 5(0) = 4 for n = Ak for all k > 1. 
Ifd = 7 then 5(F d ) = 5(0) = 6 for n = 3k for all k > 1. 

The previous remarks combined with our simulation results point out that 
5(0) and 8(1) play a very particular role in the differential spectra of power 
functions. This leads us to investigate the properties of the differential 
spectrum restricted to the values 8(b) with b F2. 

Definition 4 Let F be a power function on F2« . We say that F has the 
same restricted differential spectrum as an APN function when 

8(b) < 2 for all b G F 2 - \F 2 . 

For the sake of simplicity, we will say that F is locally- APN. 
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This definition obviously generalizes the APN property. For instance, 
the inverse function over F2™ is locally- APN for any n, while it is APN for 
odd n only. Another infinite class of locally- APN functions is exhibited in 
Section 15.21 

3 The differential spectrum of x \— >• a? 2 * -1 

From now on, we investigate the differential spectra of the following specific 
monomial functions 

G t : x h-> x 2 ' -1 , 2 < t < n — 1, over F 2 » . 

Note that such a function has algebraic degree t. 

3.1 Link with linear polynomials 

In this section, we first give some general properties. 

Theorem 1 Let Gt(x) = x 2 ' -1 over ¥2" with 2 < t < n — 1. Then, 

G t (x + 1) + G t {x) + 1 = {x2 + X)2 . (2) 

X z + X 

Consequently, for any b € \ {1}, 6(b) is the number of roots in F2™ \ F2 
of the linear polynomial 

P b (x) = x 2 ' + bx 2 + (b + l)x . 

And we have 

5(0) = 2 gcd (*' n ) - 2 
5(1) = 2 gcd (* -1 ' n ) 
for any b € F 2 « \ F 2 , 5(b) = 2 r - 2 

for some r with 1 < r < min(i, n — t + 1). 
Proof. To prove ([2]) we simply compute 

(x + x 2 )(l + x 2t ~ 1 + (l + x) 2 '" 1 ) = x + x 2 + x 2t +x 2t+1 + x(l + x) 2t = x 2 + x 2 \ 

Thus, 5(1) is directly deduced and it corresponds to the number of roots 
of Pi(x) = (x 2 ^ 1 +x) 2 . Let 6 e F 2 n\{l}. ThenxeF 2 n\F 2 is a solution of 

(x + l) d + x d = b, d = 2*-l, 
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if and only if it is a solution of 

(x 2 ' _1 + x) 2 = (b + l)x(x + 1), 
or equivalently if it is a root of the linear polynomial 

P b (x) = x 2 ' + bx 2 + (b + l)x. 

The values x = and x = 1 are counted in 6(1) (as solutions of (x+l) rf +x rf = 
1), while -Pft(O) = Pb(l) = for any b. So, we get that, if b ^ 1, the number 
of roots of in F 2 ™ is equal to (6(b) + 2). Because the set of all roots of a 
linear polynomial is a linear space, we deduce that 

V6 G F 2 » \ {1}, 5(6) = 2 r - 2 with r < t. 

Moreover, by raising P}, to the 2 n_ *-th power, we get that any root of P\> is 
also a root of 

. 1 on — t-\-l . . on — t 

b'x 2 + (6' + l)x 2 + x 

with 6' = 6 2n ~\ This then implies that 5(6) = 2 r - 2 with r < n - t + 1. 
Finally, for 6 = 0, P (») = + x, implying that 6(0) = 2S cd ( 4 ' n ) - 2, which 
naturally corresponds to Lemma El o 

Remark 2 As a first easy corollary, we recover the following well-known 
form of the differential spectrum of the inverse function, G n _i : x h4 x 2 " ~ 1 
over¥2^. Actually, the previous theorem applied tot = n—1 leads to 6(0) = 
and 6(1) = 2 when n is odd and 6(1) = 4 when n is even. For all 6 ^ F2, 
6(b) € {0,2}. Therefore, we have 

• if n is odd, 6(G n -i) = 2 and ujq = 2 n ~ 1 , UJ2 = 2 n ~ 1 ; 

• if n is even, 6(G n -\) = 4 and ujq = 2 n ~ l + 1, 002 = 2 n ~ l — 2, W4 = 1. 

Clearly G n -\ is locally- APN for any n, as we previously noticed (see Defi- 
nitional. 

The following corollary is a direct consequence of Theorem [TJ 

Corollary 1 Let Gt(x) = x 2 ' -1 over ¥2" with 2 < t < n — 1. Then, its 
differential uniformity is of the form either 2 r — 2 or2 r for some 2 < r < n. 
Moreover, if 6(Gt) = 2 r for some r > 1, then this value appears only once 
in the differential spectrum, i.e., 0J2 r — 1, and it corresponds to the value of 
6(1), implying 6(G t ) = 2S cd (*- 1 > n ). 
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3.2 Equivalent formulations 

In Theorem[TJ we exhibited some tools for the computation of the differential 
spectra of functions x \— > x 2 -1 . The problem boils down to the determina- 
tion of the roots of a linear polynomial whose coefficients depend on b € F2^ . 
There are equivalent formulations that we are going to develop now. The 
first one is obtained by introducing another class of linear polynomials over 
F21. For any subspace E of (where is identified with Fg), we define 
its dual as follows: 

E ± = {x\ Tr(xy) = 0, V y G E }. 
Also, we denote by Xm{F) the image set of any function F. 

Lemma 4 Let t,s > 2 and s = n — t + 1. Let us consider the linear 
applications 

P t>b (x) = x 2t +bx 2 + {b+l)x, 6eF 2 n. 
Then the dual of Im(Pt j b) is the set of all a satisfying P^ b {a) = where 

P t * b (x) = x 2S + (b + l) 2 x 2 + bx. 
Note that P£ b is called the adjoint application of Ptfi- 

Proof. By definition, Im(P t i } )- L consists of all a such that Tr(aPt^(x)) = 
for all x € F2«. We have 

Tr(aPt ) b(x)) = Tr(ax 2 ) + Tr(bax 2 ) + Tr(a(b + l)x) 

= Tr{a 2n ~ t+1 x 2 ) + Tr{bax 2 ) + Tr{a 2 {b + l) 2 x 2 ) 
= Tr(x 2 (a 2S +a 2 (b+ l) 2 + ab)). 

Hence a belongs to the dual of the image of Pt,b if and only if a 2 " + 
a 2 (b + l) 2 + ab = 0, i.e., a is a root of P^ b , completing the proof. o 

The following theorem gives an equivalent formulation of the quantity r 
which is presented in Theorem [TJ 

Theorem 2 Notation is as in Lemma^ Then 

dim Ker(Pt : b) = dim K er(P/ 6 ). 

Consequently, this dimension can be determined by solving Pt b(x) = or 
equivalently by solving 

x 2 + (b + l) 2 x 2 + bx = 0, where s = n — t + 1. 
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Proof. Let n be the dimension of the image set of Pt^- It is well-known 
that n = k + dim Ker(P t ^). On the other hand, Lemma [5] shows that a is 
in the dual of the image of Pt } b if and only if Pj* b (a) = 0. We deduce that 

n — k = dim Ker(P^' b ) = dim Ker(P t ^) , 

completing the proof. o 

Now, we discuss a different point of view, using an equivalent linear system. 

Theorem 3 For any 2 < t < n, we define the following equations: 

E b : x 2 ' + bx 2 + (b + l)x = 0, 6eF 2 n. 

Let Nf, be the number of solutions of E b in F21 \F2- Let M b be the number 
of solutions in FJjn of the system 

y 2 ^ 1 + --- + y 2 + y(b+l) = ol 
Tr(y) = J 

Then N b = 2 x M b . 

Proof. We simply write 

x 2 ' + bx 2 + (b + l)x = x 2 ' + x + b(x 2 + x) 

which is equal to 

= (x 2 + x) 2 '" 1 + (x 2 + x) 2 '~ 2 H h (x 2 + x) + b(x 2 + x) 

= y 2 + y 2 + • • • y 2 + y(b + 1), with y = x 2 + x. 

We are looking at the number of solutions of E b which are not in F2. So, it 
is equivalent to compute the number of nonzero solutions y of 

2/ 2 '" 1 +/~ 2 + + 2/(6+1) = 

such that the equation x 2 + x + y = has solutions. This last condition holds 
if and only if Tr(y) = 0, providing two distinct solutions x±,X2 = x\ + 1 
such that x 2 + x\ = y, completing the proof. o 

Remark 3 In Theorem [5j b takes any value while P b is defined for b 7^ 1 
in TheoremUl For all b^l, we have clearly iV& = 5(b). If b = 1, P\(x) = 
x 2 + x 2 and the number of roots of P\ in F2™ is equal to 

N\ + 2 = 2S cd (*- 1 > n ) = 6(1). 

Therefore, we have M\ = 5(1) /2 — 1. 
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4 A property of symmetry 



Recall that Gt(x) = x 2 *" 1 . Now, we are going to examine some symmetries 
between the differential spectra of Gt and G s where t, s > 2 and s = n — t+1. 
In the list of properties below, notation is conserved as soon it is defined. 
Recall that 

p* b ( x ) = X 2S + x 2 (b + l) 2 + xb 

is the adjoint polynomial of Pt^{x) = x 2 * + bx 2 + (6 + l)x. Thus, both 
polynomials have a kernel with the same dimension (see Lemma 0] and 
Theorem [2]). It is worth noticing that this dimension is at least 1 since 
Ptb(fy = PtbiX) = 0- I n this section we want to prove the following theo- 
rem. 

Theorem 4 For any v with 2 < v < n — 1, we define 

Sl = {b\ dimKer(P Utb ) = i } with 1 < i < v . 

Then, for any s,t > 2 with t = n — s + 1 and for any i, we have #Sl = $S\. 

We begin by some lemmas. The next one will not be used for the proof of 
Theorem H] but clarifies some arguments. 

Lemma 5 Let a € F|n and 2 < t < n — 1. Then there are exactly two 
elements, b\ and hi with 62 = b\ + a -1 , such that P£ b .{a) = for i = 1,2. 
In particular, PA(1) = for b & {0, 1}. 

Proof. Let a be fixed and let us consider the equation P* b (a) = for some 
b: 

ftV + ha + a 2° +a 2 = a 2( b 2 + b + ^+^\ = Q 

\ a a 1 ) 
There is b such that this equation is satisfied if and only if 



Tr [ J + a x a 1 ) = Tr{a l ° + a 1 ) = 0, 



which holds for any a. Thus, for any nonzero a there are exactly two so- 
lutions, say 61 and 62 whose sum equals a" 1 . To complete the proof, we 
observe that P£ b (l) = b 2 + b. o 
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Lemma 6 Let s,t > 2 with t = n — s + 1. Let ir be the permutation of 
F 2 „ x F 2 ™ defined by 

n(a,b) = ( a 2 ,— + lj . 
Then, for any (a,b) in F^ x F 2 n, (a,/3) = ir(a,b) satisfies 

p*sA a ) = p tM ■ 

Proof. First, we clearly have that tt is a permutation of F^n x F 2 «. Indeed, 
7r (Fgn x F 2 n) C F^n x F 2 n and one can define the inverse of ir as follows: 

_ lf ( 2 n- s a(/3 + l))\ 

tt = (a 2 , ^ 2 n- a j • 

Actually, (a 2 ™ °) 2S = a and it can be checked that 

^-W)) = («. ^' a £ +1) + i) =(«.«• 

Then, by using that (/3 + l) 2 = and s + t = n + 1, we deduce that 

P*,(a) = (a 2 T + (a 2S ) 2 (/3 + l) 2 + (a 2S )/3 
= a 2 + a 2 6 2 + aft + a 2 " 
= *&(a). 

o 

Lemma 7 Lei s,t > 2 with t = n — s + 1. Xei 6 G F 2 n and Zei a G F 2 n 
suc/i i/iat -P t * 6 (a) = 0. T/ien dim K er(P^ b ) = dim Ker(P*g), where /3 = 
1 + ab/o? a . 

Proof. Recall that P^ b (x) = x 2 " + x 2 (6 + l) 2 + xb. We know that for 
any b F 2 there is a G F 2 n \ {0, 1} such that P^ b (a) = 0. This is because 
dim Ker{Pt t b) = dim Ker(Pj* b ) (see Theorem[2|) and {0, 1} is included in the 
kernel of P tjb . Moreover, P£ b {l) = b 2 + b = if and only if b G F 2 . 

We treat the case a = 1 separately, a case where &(a) = for 6 G F 2 
only. In this case, Lemma [6] leads to P* p(l) = too where /3 = b + 1, since 
7r(l, b) = (1,6 + 1). And we have for b = 

P t * (x) = x 2S + x 2 = P Sil (x) 
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and for b = 1 

P* }1 (x) = x T +x = P s , (x). 

Thus, we conclude: for a = 1, if b is such that P+* 6 (l) = then (3 = b + 1 
and 

dimifer(P t * 6 ) = dim Ker{P St p) = dim Ker(P*^) 

where the last equality comes from Theorem [2J 

Now, we suppose that a ^ F2. With x = ay, the equation P^ b (x) = is 
equivalent to 

,2"„,2 S , „2„,2/7 1 1\2 



which is 



We can set 



since 



is equivalent to 



a z y z +aVO + l) + ayb = 



v ( r a 2 {b + l) 2 2 ab 

a [ y H — — y +y^2 T ) =0 - 



a 2 (b+l) 2 a6 
/3 = Ts and /3 + 1 = 

a 2 {b + l) 2 _ ab_ 

OS ' 1 OS 



a 2 " + a 2 (6 + l) 2 + a6 = 0, i.e., P t * 6 (a) = 0. 
We have proved that P* b {x) = is equivalent to 

PsAy) = y 2S + Py 2 + (P + 1 )y = °- 

Then, dim Ker(P s .p) = dim Ker(P^ b ). But dim Ker(P S! g) = dim Ker(P* g) 
by Theorem [2 completing the proof. o 

Proof of Theorem [7} Recall that 

Si = { b G F 2 n I dim Ker(P v , b ) =%}. 

Then, we want to show that, for any i, jfcS\ = i^S).. For any 2 < v < n — 1 
and for any 1 < i < v, we define 

El = {(a, b) G F^„ x F 2 n I P* b ( a ) = and dim Ker(P v>b ) = i}. 

From Theorem^ we know that dimKer(P u ^ b ) = dimKer(P* b ). Then, 

4 = {(a,b) G F^„ x F 2 n | P* b (a) = and dimKer(P; b ) = i }. 
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For any b € S l u there are 2 l — 1 nonzero a in Ker(P* b ) and then 2* — 1 pairs 
(a, 6), for a fixed 6, in £ % v so that 

#4 = (2* - . (3) 

We use Lemma [6l Recall that tt is the permutation of F 2 n x F2» defined by 

, ,, ( v ab 
%(a,b) = [a , -57 + 1 
\ a z 

Then, we have 

= {( a , 6) € x F 2 n | P* b (a) = and dim if er(P t * 6 ) = i }, 
= {(a,P) E F^„ x F 2 n | P*p(a) = and dim Jfer(P*^) = i } 
= {(a,/3) = 7r(o,&),(a,&) E £*} . 



Indeed, any (a, /3) is as follows specified from (a, b). We have P* Ja) = 
P 4 * b (a) from Lemma [6J Moreover, according to Lemma dim Ker(P^ b ) = 
dim Ker(P*p), where j3 is calculated from a and b, for any a such that 

In other terms, to any pair (a, b) € S\ corresponds a unique pair (a, /3) € 
E\. We finally get that = and it directly follows from © that 
j^S\ = completing the proof. o 

Now we are going to explain Theorem [H in terms of the differential 
spectra of Gt and G s , s,t > 2 with t = n — s + 1. Actually, we can deduce 
from the previous theorem that both functions Gt and G s have the same 
restricted differential spectrum, i.e. the multisets {5(b), b € F 2 n \F 2 } are the 
same for both functions. 

Corollary 2 We denote by 5 v (b), b E F 2 n, t/ie quantities 8(b) corresponding 
to G u : x 1— > a; 2 "" 1 . Then, for any s, t > 2 mf/i i = n — s + 1, we have 

5 S (0) = S t (l)-2 = 2S cd (*- 1 > n ) - 2 
= 5i(0) + 2 = 2S cd (*' n ) 

and we have equality between both following multisets: 

{5 s (b),b € F 2 n \ F 2 } = {5 t (b), b E F 2 n \ F 2 }. (4) 



14 



Moreover, Gt and G s have the same differential spectrum if and only if 

gcd(s,n) = gcd(t, n) = 1, 

which can hold for odd n only. In any case, Gt is locally- APN if and only if 
G s is locally- APN. 

Proof. Since s = n — t + 1, we clearly have 

gcd(s, n) = gcd(i — 1, n) and gcd(s — 1, n) = gcd(i, n). 
Thus, applying Theorem [TJ we get 

6,(0) = 2 gcd ( s ' n ) - 2 = 2 scd (*- 1 ' n > - 2 = 6t(l) - 2 

and 

5,(1) = 2 gcd ( s ~ 1 ' n ) = 2 gcd (*' n ) = 6 t (0) + 2. 
Moreover, we have 

(Pt^ixyf 1 = (x 2t + x 2 ) = x + x 2S = P St0 (x) 

(Pt,o(x)f = {x 2t +xY =x 2s +x 2 = P s>1 (x), 
implying that 

{dim KerPt^o, dim KerPt t \} = {dim Ker P S) o, dim KerP s ^i} . 
We deduce from Theorem U] that 

#{ b G F 2 n\F 2 j dim Ker(P ttb ) = i } = #{ b € F 2 n\F 2 | dim Ker{P sfi ) = i }. 

Equality @ is then a direct consequence of Theorem [H since 

{5„(b), b e F 2 n \F 2 } = {2 K ^ - 2, «(6) = dim Ker (P^)} . 

Now, we note that 5 S (0) = 6 t (0) if and only if 5 s (l) = 6 t (l). Thus, G t 
and G s have the same differential spectrum if and only if 6 S (0) = 6t(0). 
Since 

6 S (0) = 2 gcd ( s ' n ) - 2 and 6 t (0) = 2 gcd (*' n ) - 2, 

this holds if and only if gcd(i, n) = gcd(s,n) = 1. It cannot hold when n is 
even, because in this case either s or t is even too. 

Using Definition the last statement is obviously derived. o 

The previous result implies that, if Gt is APN over F 2 «, then G s is 
locally-APN. Moreover, the differential spectrum of G s can be completely 
determined as shown by the following corollary. 
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Corollary 3 Let n and t < n be two integers such that Gt : x i— >■ x 2 ' 1 is 
APN over F 2 « . Let s = n - t + 1. Then, 

• if n is odd, both Gt and G s are APN permutations; 

• if n is even, Gt is not a permutation and G s is a differentially 4- 
uniform permutation (locally- APN) with the following differential spec- 
trum: uji = 1, U2 = 2 n ~ 1 — 2 and ujq = 2 n_1 + 1. 

Proof. From Theorem [IJ we deduce that, if F is APN, then 5t(b) G {0, 2} 
for all b G F 2 ™ \F 2 ; moreover, gcd(n, t — 1) = 1 and gcd(n,t) G {1,2} since 
S t (l) = 2 and S t (0) G {0,2}. 

If n is odd, gcd(n, t) = 1 is then the only possible value, implying that 
S t (0) = 0. It follows that S s (0) = 0, 5 S {1) = 2 and 6 s (b) G {0,2} for all 
b G F 2 n \ F 2 . In other words, both Gt and G s are APN permutations. 

If n is even, it is well-known that Gt is not a permutation (see e.g. [2]). 
More precisely, we have here gcd(n,t) = 2 since t and t — 1 cannot be both 
coprime with n. Then, we deduce that <5 S (0) = and 5 S (1) = 4. The 
differential spectrum of G s directly follows from Corollary [2J o 

Example 2 Notation is as in Corollary^ For t = 2, we have Gt(x) = x 3 . 
It is well-known that G 2 is an APN function over F 2 n for any n. Since 
s = n — 1, G s (x) is equivalent to the inverse function and it is also well- 
known that the inverse function is APN for odd n. For even n, 5(G n -i) = 4 
and the differential spectrum is computed in Remark^ 

Corollary 4 Let n and t < n be two integers such that Gt : x 1— >• x 2 '" 1 is 
differentially 4-uniform. Then, n is even and Gt is a permutation with the 
following differential spectrum: W4 = 1, cj 2 = 2 n_1 — 2 and ojq = 2 n_1 + 1. 
Moreover, for s = n — t + 1, G s is APN. 

Proof. From Corollary[H we deduce that 5{Gt) = 4 implies gcd(n, t — 1) = 2 
and W4 = 1. In particular, n is even. Since gcd(n, t — 1) and gcd(n, t) cannot 
be both equal to 2, we also deduce that that Gt is a permutation. Its 
differential spectrum is then derived from Lemma [TJ 

Moreover, we have S s (0) = 2 and S s (l) = 2, implying that G s is APN. o 

5 Specific classes 

In this section, we apply the results of Section [3] to the study of the differ- 
ential spectrum of Gt : x \— > x 2 _1 , for special values of t. 
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5.1 The function x \— > x 7 

We first focus on G3 : x 1— > x 7 over F2», i.e., i = 3. In this case, we determine 
the complete differential spectrum of the function. Moreover, thanks to the 
work of Carlitz [TI2], we emphasize that this spectrum is related to some 
Kloosterman sums defined as follows. 

Proposition 2 Formula (6.8)] Let K(l) be the Kloosterman sum 

K(l) = (-lf r(x ~ 1+x) 

X<=W 2 n 

extended to assuming that (-l) Tr ( x 1 ) = lforx = 0. Then, 

\n-l L 2 J 



"(»=>^d-')'(;)'. 



Theorem 5 Let G3 : x 1— >■ x 7 over F2™ wii/i n > 4. Then, its differential 
spectrum is given by: 

• if n is odd, 

W6 = ~6 8" 

W4 = 

w 2 = 2 n ~ 1 - 3uj 6 

ujq = 2"" 1 +2a; 6 ; 



i/n is even, 



2™" 2 -4 K(l) 

W6 = —6— + ^ 

W4 = 1 

W2 = 2 n ~ 1 - 3w 6 - 2 

w = 2 n - 1 + 2oj 6 + l. 



where K(l) is the Kloosterman sum defined as in Proposition^ Ln partic- 
ular, G3 is differentially 6-uniform for all n > 6. 

To prove this theorem, we need some preliminary results. We first recall 
some basic results on cubic equations. 
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Lemma 8 [3] The cubic equation x 3 +ax+b = 0, where a G F2™ and 6 G Fgn 
/ias a unique solution in ¥2^ if and only ifTr(a?/b 2 ) 7^ Tr(l). in particular, 
if it has three distinct roots in ¥2^, then TV(a 3 /6 2 ) = Tr(l). 

Proposition 3 [19j Appendix] Let f a (x) = x 3 + x + a and 

Mj = a £ F^ I /a(^c) = /ias precisely i solutions in F2" }. 

Then, we have for odd n 

on 1 1 on— 1 _ 1 

M = f-±i, Mi = 2- 1 - 1, M 3 = - 
and /or even n 

2^ 2 2 n— ^ 2 

M = — — , Mi = 2"" 1 , M 3 = . 

Now we are going to solve the equations P&(x) = (see Theorem [T]) by 
solving a system of equations, including a cubic equation, thanks to the 
equivalence presented in Theorem [3l 

Theorem 6 Let 

P b (x) =x 8 + bx 2 + (b+ l)x, b G F 2 n \ {1} 

The number Vq of b G ¥2^ \ {1} snc/i that P b has no roots in ¥2^ \ {0, 1} is 
given by 



where K{1) is the Kloosterman sum defined as in Proposition® 



Proof. Let b G F2« \{1}. According to Theorem[3]we know that the number 
(denoted by iV&) of roots in F2™ \ F2 of Pb is twice the number of roots in 
Fgn of the following system where /3 = b + 1: 

Qp(v) = y 3 + y + P = o 

Tr(y) = 0. 1 J 

Since /3 7^ 0, Qp{y) 7^ for y G F2. Then, for any j3 7^ 0, the following 
situations may occur: 

• Qs has no root in F2™. In this case, Nf, = 0. 
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• Qp has a unique root y £ F2™. From Lemma [8l this occurs if and only 
if Trip*" 1 ) + Tr(l). In this case, N b = if Tr(y) = 1 and N b = 2 if 
Tr(y) = 0. 

• has three roots 2/1,2/2,2/3 £ ^2 n - Since these roots are roots of a 
linear polynomial of degree 4 then 2/3 = 2/1 + 2/2, implying Tr(y^) = 
Tr(yi) + Tr (2/2)- Then, at least one is such that Tr{y,i) = 0. It 
follows that, in this case, N b is either 6 or 2. 

Let us now define 

B = #{/3 € F?m, Q/j has a unique root 2/ € IBV and Tr(y) = 1}. 

From the previous discussion, we have 

vq = #{/3 6 Fj^n, Qp has no root in ¥2^} + -B 
2 n + (_i)r»+l 

= — - + B 

3 

where the last equality comes from Proposition [3l Let us now compute the 
value of B. 

B = £ ^2™' Qp nas a unique root y 6 F2™ and Tr(y) = 1} 

= #{(2/ 3 + 2/) e F^, Tr ( -3^— ^ Tr(l) and Tr(y) = 1} , 

by using that (3 = y 3 + y. But, we have 

1 1 + y 2 y 2 + y _y_ 1 1 1 



2/ 3 + 2/ 2/ 3 + 2/ 2/ 3 + 2/ 2/ 3 + 2/ 2/ 2/ + 1 2/ 2 + 1 ' 
implying that 

Tr ( —5 ] = Tr ( - 

\y A + yJ \y 

Therefore, 

B = #{(/ + 2/) G Tr f-^) ± Tr(l) and Tr(2/) = 1}. 



Now, we clearly have that (y 3 + y) = if and only if y G F2. Moreover, 
two distinct elements 2/1 and 2/2 hi F2™ \ ¥2 with Tr(y^ 1 ) 7^ Tr(l) and 
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Tr (V2 *) ¥= Tr(l) satisfy (yf+yi) / (3/2+2/2) (otherwise, with ^ = yf+yi 
has at least 2 roots in F 2 n). Therefore, we deduce that 

B = #{ye F 2 » \ F 2 , Tr Qj + Tr(l) and Tr(y) = 1}. 

If n is odd, we deduce that 

B = #{ye F 2 n \ F 2 , Tr (-) = and Tr{y) = 1}. 



If n is even, we deduce that 

B = #{y G F 2 n \ F 2 , Tr ( - ) = 1 and Tr(y) = 1} 



= #{y£F 2 n\F 2 , Tr(y) = l} 

-#{y € F 2 « \ F 2 , Tr ( - J = and Tr(y) = 1} 

= 2 n ^ - #{y G F 2 n \ F 2 , Tr ( = and Tr(y) = 1} . 

On the other hand, by definition of the Kloosterman sum K(l), we have 
K(l)-2 = Yl (-l) Tr{x ~ 1+x) 

xeF 2 n\F 2 

= -2#{x GF 2 n \F 2 ,Tr(x" 1 + x) = 1} + 2 n - 2 

= -4#{x G F 2 n \ F 2 , Tr{x~ 1 ) = and Tr(x) = 1} + 2 n - 2. 

Thus, 

#{x G F 2 n \ F 2 , Tr(x -1 ) = and Tr(x) = 1} = 2 n ~ 2 - 
We then deduce that, for any n, 

5 = 2 n ~' z + (-l) r 

It follows that 

, = 2ra + (- 1 ) ra+1 + 2^ + ( -ir^H. 



rn-2 , , 
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Proof. (Proof of Theorem [5]) In accordance with Lemma [TJ we obtain the 
differential spectrum of G3 as soon as we are able to solve the following 
system: 

2uj 2 + 4w 4 + 6w 6 = 2 n U 

Now, we apply Theorem Q] and we recall first that 5(b) € {0, 2, 6} for any 
b € F21 \ {1}. Moreover, we know that ojq = v§ as defined in Theorem [6j 

Since t = 3, gcd(i — l,n) equals 1 for odd n and 2 otherwise. Then, if 
n is even then 5(1) = 4 else 5(1) = 2. Thus, W4 = 1 for even n and W4 = 
otherwise. From the second equation of ©, we get 

u 2 = 2 n ~ l - 3w 6 - 2uj 4 



and using the first equation of 
leading to 



loq = 2 n — ojq — 0J2 — W4 = 2 n 1 — ujq + W4 + 3a;6 



, , _ on-2 , ^0-^4 
W 6 — -I H . 

Finally, we deduce from Theorem [6] that, for odd n, 

b 2 6 8 



6 



and for even n 



2 6 8 2 

2 n ~ 2 - 4 K(l) 

= 1 — . 

6 8 

Finally, it can be proved that ojq > 1 for any n > 6, implying that G3 is 
differentially 6-uniform. Actually, it has been proved in [201 Th. 3.4] that 

-2t +1 + 1 < K(l) < 2f +1 + 1 

implying that ojq > when n > 5. It is worth noticing that G3 is APN when 
n = 5 since its inverse is the quadratic APN permutation i4i 9 . When 
n = 4, G3 is locally-APN, and not APN, since it corresponds to the inverse 
function over F 2 4. o 

By combining the previous theorem and Corollary [2l we deduce the 
differential spectrum of G n _2 : % l— >• x 2 " _1 over F2". 
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Corollary 5 Let G n _2 : % h-> x 2 " 2 1 over ¥2" with n > 6. Then, we have: 

• i/gcd(n, 3) = 1, G n _2 differentially 6-uniform and for any b € ¥2™, 
(5(6) € {0,2,6}. Moreover, its differential spectrum is given by: 

for odd n 

K(l) r 

—k^- for even n 







2 n " 2 +l 


CJfi 


-{ 


6 

2«-2_4 
6 i " 


U! 2 


= 2 rt ~ 


_1 - 3w 6 




= 2 n " 


- 1 + 2w 6 ; 



• if 3 divides n, G n -2 is differentially 8-uniform and for any b € ¥2^, 
5(b) £ {0,2,6,8}. Moreover, its differential spectrum is given by: 



for odd n 
for even n 





= 1 


2™" 2 -5 ^(1) 




"{ 


6 8 
2«-2_io X(l) 

6 1 8 


0J2 


= 2 n ~ 


~ l - 3w 6 - 4 


LU 


= 2 n " 


- 1 + 2w 6 + 3 ; 



Proof. Let (w , w 2 , W4, cj 6 ) denote the differential spectrum of G3 over F 2 ™. 
We apply Corollary [2] (with s = 3). Then, if gcd(3,n) = 1, £3(0) = and 
<5n-2(l) = 2. Otherwise, £3(0) = 6 and 5 n _2(l) = 8. Moreover, in both 
cases, £3(1) = 4 for n even and £3(1) = 2 for n odd. It follows that, 

• for gcd(3, n) = 1, n odd, we have (#3(0), £3(1)) = (0,2) and 
(«5„_2(0),«5 n _ 2 (l)) = (0,2). Then, oj { = u[ for all i; 

• for gcd(3, n) = 1, n even, we have (£3(0), #3(1)) = (0,4) and 
(<5 n _2(0),<5 n _ 2 (l)) = (2,2). Then, u; = w - 1, u; 4 = u' A - 1 and 
w 2 = u' 2 + 2. 

• for gcd(3, n) = 3, n odd, we have (^3(0), 83 (1)) = (6,2) and 
(£ n _2(0),tf n _ 2 (l)) = (0,8). Then, w 8 = 1, w 6 = w 6 - 1, w 2 = w 2 - 1 
and wo = w + 1 . 

• for gcd(3, n) = 3, n even, we have (£3(0), £3(1)) = (6,4) and 
(5 n _ 2 (0),<5 n _ 2 (l)) = (2,8). Then, w 8 = 1, w 6 = u' 6 - 1, w 4 = lo' a - 1, 
u>2 = uj' 2 + I and ojq = w . 
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The result finally follows from Theorem [5j o 

The minimum distance of the cyclic code of length 2" — 1 with defining set 
{1, 7} has been studied by van Lint and Wilson in [23]. More precisely, they 
have proved that this code has minimum distance at most 4 for n > 6. The 
previous corollary recovers this result and also provides the exact number 
of codewords of weight 3 and 4 in this code. 

Corollary 6 Let B3 (resp. B 4 ) denote the number of codewords of Ham- 
ming weight 3 (resp. of Hamming weight 4) in the binary cyclic code of 
length 2™ — 1 with defining set {1, 7}. Then, we have 

• if n is odd 



B 3 = 
B 4 = (2 r 



yn-2 



+ 1 K(l] 



if n is even 



B 



(2 n - 1) 
3 



6 

Proof. Let F(x) = x d over F2™ and let 5(b), b £ F2™, denote the number of 
solutions x of 

D l F(x) = F(x + 1) + F(x) = b . 

It is known from Proposition 2 and Lemma 2 in [5] that the number of 
codewords of weight 3 and 4 in the cyclic code of length (2 n — 1) with 
defining set {1, d} is given by 

£3 = ^^(5(1) -2) 

B 3 + B 4 = y ^ ' [#{(x,y)e¥ 2 nx¥ 2 n:D 1 F(x) = D 1 F(y)}-2 n+1 ]. 
Therefore, we have 

(2 n - 1) 

B3 + B 4 




23 



This formula was proved in Corollary 1 of [5] , but only in the particular case 
where gcd(d, 2 n — 1) = 1. For d = 7, Theorem [5] implies that 

B 3 + B 4 = (2 n - 1)^. 

Then, the values of B% and B4 are deduced from the expression of coq given 
in Theorem [5j o 

5.2 Exponents 2 L^/2J _ 1 

We are going to determine the differential uniformity of Gt for t = [n/2\. 
We first consider the case where n is even. Note that in this case, Gt is not 
a permutation since 2 n — 1 = (2* - 1)(2* + 1). 

Theorem 7 Let n be an even integer, n > 4 and Gt(x) = x 2 '" 1 /or i = §• 
Tnen is locally- APN. More precisely 

S(G t ) = 2* - 2 and 5(6) < 2, V £ F 2 n \ F 2 . 

Moreover, the differential spectrum of Gt is: 

• if n = mod 4 i/ien 

Ui = 0, V i, 2 < i < 2* - 2 

W2 = 2™- 1 - 2*" 1 + 1 

oj = T~ x + 2*" 1 - 2; 

• if n = 2 mod 4, 

w 2*-2 = 1 

cjj = 0, V i, 4 < i < 2 l - 2 

= 1 

W2 = 2 n " 1 -2 t - 1 -l 

Wo = 2™" 1 + 2*" 1 - 1. 

Proof. From Theorem [IJ we obtain directly 5(0) = 2* — 2. Also, <5(1) = 2 
if i is even and 5(1) = 4 otherwise. 

Now, for all F 2 , we have to determine the number of roots in F 2 n of 
Pft(x) = x 2 + 6x 2 + (6 + l)x or, equivalently, the number of roots of 

(P b (x)f = x + b 2t x 2t+1 + (b + lfx 2 \ (7) 
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If x is a root of P b then x 2 * = 6x 2 + (6 + l)x. So, P&(x) = implies 

(P b (x)f = x + b 2 \x 2t f + {b 2t + l)x 2t 

= x + b 2 ' (bx 2 + (6 + l)xf + (b 2t + l)(bx 2 + (6 + l)x) 

= b 2t+2 x A + (b 2t+2 + b 2t+l + b 2t + b)x 2 + (6 2t+1 + b 2t + 6)x 

= 6 2 ' +2 (x 2 + xf + (6 2t+1 + b 2 ' + 6)(x 2 + x). 

Thus, we get a linear polynomial of degree 4 which has at least the roots 
and 1. Hence, this polynomial has r roots where r is either 4 or 2, including 
x = and x = 1. Therefore, for any b F2, 5(b) < 2 since (5(6) < r — 2. We 
deduce that Gt is localy-APN. 

We also proved that uji = unless z £ {0, 2, 2* — 2} when t is even and 
i € {0,2,4,2* — 2} otherwise. Moreover ^2*-2 = &>4 = 1. According to 
Lemma [H we have for t even : 

2 n = UJ + £J 2 + W 2 «_2 = w + w 2 + 1 

and 

2 n = 2w 2 + (2* - 2)a; 2 t„2 = 2w 2 + (2* - 2). 

So, we get w 2 = 2 n_1 — 2* _1 + 1 and conclude with lo = 2 n — w 2 — 1- 
We proceed similarly for odd t, with the following equalities derived from 
Lemma [TJ 

2 n = u + oj 2 + 2 and 2 n = 2w 2 + 2* + 2. 





And we directly deduce a property on the corresponding class of linear 
polynomials. 

Corollary 7 Let n = 2t and let Tr t denote the absolute trace on F 2 t . Con- 
sider the polynomials over F 2 n ." 

x 2 ' + bx 2 + (b + l)x and x 2 ' +1 + 6x 2 + (b + l)x. 

Then, for any b € F 2 n \F 2 , these polynomials have either 2 or A roots in F 2 «. 
The first one has 4 roots if and only if Trt(b~^ 2 = 1 with (1 + 6) ^ Q, 
where Q is the cyclic subgroup of F2« of order 2* + 1 . 

Proof Let Pb(x) = x 2 * + 6x 2 + (6 + l)x. We define 

n M _ (P b (x)f+b 2t (P b (x)) 2 + (b 2t + l)P b (x) 
WJ ~ 6 2 <+ 2 (x 2 + x) 
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Using flTJ), we get : 

Qb(x) = x l + x + A, with A 



To be clear, we summarize the situation: 

- if P b (x) = 0, x {0, 1}, then Q 6 (x) = 0; 

- when Qb(x) = 0, x {0, 1}, one can have P&(x) 7^ 0; 

- if Qb(x) = for x G {0, 1} only, this holds for -Pfe(x) too. 

We consider the case where Pb{x) = has more than the two solutions 
and 1. The equation Qb(x) = has two solutions (not in {0, 1}) if and only 
if Tr(A) = with A^0. But 

r ^ )=rr G + ^ + ^) =Tr (^) =o ' 

for all b, since b 2+1 G F 2 t. And, 

A ^ & b 2t+1 + b 2t + b^0^ {b+ lf +1 + 1, 

that is : b + 1 is not in the cyclic subgroup Q of order 2* + 1 of Fgn . On the 
other hand, if Qb{x) = then x 2 + x = A and we get 

P b (x) = x 2 ' + x + 6(x 2 + x) 

= (x 2 + x) 2 ' -1 + (x 2 + x) 2 *~ 2 H h (x 2 + x) + 6(x 2 + x) 

= A 2 *" 1 H h ^ + 

We compute this last expression by replacing the value of A: 

j=0 i=0 x ' 

where Trj is the absolute trace on F 2 *. We conclude that P&(x) = if and 
only if Tr i (6-( 2t + 1 )) = 1, with b + 1 £Q. o 

n 

According to Corollary [21 the differential spectrum of x 1— > x 2Y_1 determines 
the differential spectrum of x 1— > x 2T _1 
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Theorem 8 Let n be an even integer n > 4 and Gt+x( x ) = x 2t+l ~ l for 
t = T£. Then, Gt+x is locally- APN. It is differentially 2* -uniform and its 
differential spectrum is 

u 2 t = 1 

Ui = 0, V i, 2 < % < 2* 

lo 2 = 2 n ~ 1 -2 t - 1 

u = 2"" 1 + 2'" 1 - 1 . 

Moreover, Gt+x is a permutation if and only if n = mod 4. 

Proof. First, since n = 2t, we have gcd(£ + l,n) = 1 if t is even (i.e., 
rt = mod 4) and gcd(t + l,n) = 2 if f is odd (i.e., n = 2 mod 4). Here 
s = i + l. 

Let (o;-)o<j<2 n (resp. (uii)o<i<2 n ) denote the differential spectrum of Gt 
(resp. Gt+x) over F2™. 

• Forn = 0mod4, we have (5 t (0), 5 t (l)) = (2*-2, 2) and (6,(0), 6,(1)) = 
(0, 2*). Thus, ojo = + 1, UJ2 = uj'2 — 1, w 2 *-2 = w 2*-2 ~~ 1 ana - w 2* = !• 

• Forn = 2mod4, we have (5 t (0), 5 4 (1)) = (2* -2, 4) and (<5 S (0), 5,(1)) = 
(2, 2*). Thus, o;2 = uj' 2 + 1, ^4 = W4 — 1, u> 2 t_2 = w 2*-2 ~~ ^ ana - w 2* = 1- 

The differential spectrum of Gt+x is then directly deduced by combining the 
previous formulas with the values of lo\ computed in Theorem o 

In the case where n is odd, the differential uniformity of Gt, with t = ^j^, 
can also be determined. 

Theorem 9 Let n be an odd integer, n > 3. Let Gt(x) = x 2 '" 1 with t = 
(n — l)/2. Then, Gt is a permutation and for all b 6 F 2 ™ \ F2 we have 
5(b) € {0,2,6}. Moreover 

• if n = mod 3, then 5(Gt) = 8, and the differential spectrum satisfies 
uJi = for all i {0, 2, 6, 8} and oj% = \. 

• if n ^ mod 3, i/ien 5(Gt) < 6 and the differential spectrum satisfies 
Ui = for all i # {0,2,6}. 

Proof. From Theorem [IJ we have 5(0) = 0; moreover, if 3 divides n then 
5(1) = 8 else 5(1) = 2. Now, for all b F2, we have to determine the number 
of roots in F 2 « of 

P b (x) = x 2 ' + bx 2 + (b + l)x, 
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or, equivalently, the number of roots of 

(P b (x)f +1 = x + b* +1 x 2t+2 + (b+ lf +1 x* + \ 

Set c = 6 2 * +1 and Qb{x) = (Pb(x)) 2 . If x is a root of Pf, then x 2 * = 
bx 2 + (b + l)x. So, = implies 

Q 6 (x) = x + c(x 2t ) A + (c+l)(x 2t ) 2 

= x + c(bx 2 + (b+ l)x) 4 + (c + l)(fex 2 + (b + l)x) 2 

= cb 4 x 8 + (c(6 + l) 4 + (c + l)6 2 )x 4 + (c + 1)(6 2 + l)x 2 + x . 

Since has degree 8, it has either 8 or 4 or 2 solutions. In other terms, 
5(6) € {0,2,6}. o 

6 Conclusions 

In this work, we point out that the family of all power functions 

{ G t : x ^ x 2 '" 1 over F 2 n, 1< t < n} (8) 

has interesting differential properties. The study of these properties led us 
to introduce locally- APN functions, as a generalization of the differential 
spectrum of the inverse function. 

In particular, we give several results about the functions with a low 
differential uniformity within family ©. There are classes of functions Gt 
such that 5(Gt) = 6. It is the case for the functions G3 over (see 
Theorem [5]) . 

The functions such that 5(Gt) < 4 can be differentially 4-uniform for 
even n only (see Corollary 3J) ■ We have shown that, for exponents of the 
form 2* — 1, the APN property imposes many conditions of the value of 
t.In particular, it is easy to prove, using Theorem Q] that such exponent 
must satisfy gcd(i, n) = 2 for even n and gcd(t, n) = gcd(i — l,n) = 1 for 
odd n. Another condition can be derived from the recent result by Aubry 
and Rodier [JJ who proved the following theorem. 

Theorem 10 [TJ Theorem 9] Let G t : x (-> x 2 * -1 over F 2 n with t > 3. // 

7 < 2* - 1 < 2 n / 4 + 4.6 then 8{G t ) > 4. 

Thanks to Corollary [21 we can extend this result as follows. 

Corollary 8 Let G t : x i-> x 2 *" 1 over ¥ 2 n with 3<t<n-2. If 5(G t ) < 4, 
then 

log 2 (24 + 5.6) < t < n + 1 - log 2 (24 + 5.6) . 
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Proof. Let s = n — t + 1 so that 3 < s < n — 2. In this proof, we denote by 
5t(b) (resp. S s (b)) the quantities 5(b) corresponding to Gt (resp. G s ). 
From Theorem 1 1Q[ we know that 6(Gt) < 4 implies 

2 n / 4 + 4.6 < 2* - 1, i.e, 4 > log 2 (2? + 5.6). 

We consider now the function G s . Note that, from Theorem [TJ S(Gt) < 4 
implies <^(0) G {0,2} and #t(l) G {2,4}. Moreover, we obtain directly from 
Corollary [2] : 

• 5 S (6) < 4, for any 6 g" F 2 . 

• <5 S (0) G {0,2} and 5 S (1) G {2,4}. 

Thus 6(G S ) < 4 and, applying Theorem 1101 again, we get 

s > log 2 (2f + 5.6), i.e, n + 1 - log 2 (2? + 5.6) > t. 

o 

We now concentrate on APN functions belonging to the family ([8]). Some 
are well-known as the inverse permutation for n odd (t = n — 1) and the 
quadratic function x i— >• (t = 2). There is also the function Gt for £ = 
(n + l)/2 with n odd, because this function is the inverse of the quadratic 
function x i— > x 2( " +1) 2+1 . Recall that x 2 ' +1 is an APN function over F 2 n 
if and only if gcd(n, i) = 1 and we have obviously gcd(n, (n + l)/2) = 1 
(for odd n). We conjecture that these three functions are the only APN 
functions within family ([8]). 

Conjecture 1 Let Gt{x) = x 2 * -1 , 2 < t < n — 1. //G^ is ^4PA^ i/ten either 
t = 2 or n is odd and t G {^^-, — 1}. 

If the previous conjecture holds then there are some consequences for the 
functions of ([S]) which are differentially 4- uniform. From Corollary HI we can 
say that such a function Gt is a function over F 2 « with n even. Moreover 
G s , s = n — t + 1, is APN. If the conjecture holds then s = 2 (t = n — 1) is 
the only one possibility. So, in this case we could conclude that the inverse 
function is the only one differentially A-uniform function of family 
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